Mozilla Foundation Security Advisory 2008-18

Java socket connection to any local port via LiveConnect

Announced

March 25, 2008

Reporter

Gregory Fleischer

Impact

High

Products

Firefox, SeaMonkey

Fixed in

Firefox 2.0.0.13

SeaMonkey 1.1.9

Description

Security researcher Gregory Fleischer demonstrated that
web content fetched via the jar: protocol can use Java via
LiveConnect to open socket connections to arbitrary ports on the user's machine
("localhost"). The issue is caused by improper parsing of the content origin
passed from the browser to the Java plugin. Such content was incorrectly
evaluated to have a null host, assumed to be a local file, and was
subsequently allowed permission to connect to the localhost. Sun has updated
the Java Runtime Environment with a fix for this problem. Mozilla has also
added a fix to LiveConnect to protect users who don't have the latest version
of Java.

Workaround

Disable Java until a version containing fixes can be installed or upgrade
your system's JRE to one of the fixed versions listed in Sun's advisory:
1.6.0_05, 1.5.0_15, and 1.4.2_17.